Electricity grid cybersecurity will be expensive – who will pay, and how much?
But what about protection?
It can be difficult even for experts to keep track of all the potential risks to the grid, an interconnected set of industrial control systems. There are big threats from very rare events, like massive solar flares. And there are relatively minor threats from nearly certain incidents, like trees falling on wires. In between are cybersecurity concerns – which themselves can range from one individual hacker playing around to a national government orchestrating intrusion attempts into the national grid.
Now consider how much we, as consumers of utility service, might be willing to pay to protect against those dangers. Making a system more secure and reliable costs money, but often the economic benefits are hard to quantify. How much was saved by preventing a citywide blackout? Was it worth millions – or billions – of dollars invested in protection? Even if that could be calculated, it’s not easy to communicate effectively to the public, who regularly face many difficult choices about where to spend their limited money.
Recouping the costs
Collectively, utility companies in the U.S. are already planning to spend billions of dollars a year on grid cyber defenses. Those investments will include securing locations and equipment, improving the security of the utility supply chain, and continuous training and workforce development. This spending in turn brings up another complication: Most electricity utilities are highly regulated by the government, so they have to provide a certain level of service and spend money on required compliance activities. In return, those utilities are permitted to recover a certain return on their investment.
When utility companies’ costs rise, they typically ask for permission from regulators to raise the prices they charge customers. What those customers can ask for, and in our view what regulators should insist on, is clear information about what those charges will be paying for.
Right now there is ongoing research exploring what the best practices are for cyber defense of public utilities, but there is only limited useful information about what those measures should cost. Ultimately, consumers can reasonably expect to shoulder some of the cost – but should get as much information as possible about the benefits that will result from the rates they’re paying.
Dominic Saebeler is Adjunct Instructor of Business Administration, University of Illinois at Springfield. Manimaran Govindarasu is Professor of Electrical and Computer Engineering, Iowa State University. This article was written in collaboration with Wei Chen Lin of the Illinois Commerce Commission. It is published courtesy of The Conversation.
